To successfully protect sensitive data, enterprises should not only follow a standardized set of guidelines to ensure they are capable of protecting data, says Forrester Research Senior Analyst Andrew Jaquith, but also to demonstrate their ability to protect that data to assessors, partners and others.

In this interview at the recent Forrester Security Forum 2010, Jaquith discusses Forrester's data governance maturity model, which serves as a benchmark for organizations looking to asses their data protection programs. He also explains how to assign responsibility for social network data, and tells why mobile device security has become the No. 1 data protection worry for many enterprises.

Read the full transcript from this video below:

Please note the full transcript is for reference only and may include errors. To report an error, contact editor@searchsecurity.com.

Eric Parizo: Let's talk about the maturity model for data security. A key mantra for Forrester's philosophy is never to prescribe technologies to treat symptoms if you will, when it comes to protecting sensitive data. Why is that?

Andrew Jaquith: Well, that's a fabulous formulation. I wish I'd thought of it. But I think that's right. I mean the context here in most enterprises is you're responding to problems du jour. So you read and the newspapers and the trade press, no offense to current company or anything, tends to focus on things that are high profile. So social security administration guy left a laptop in a van, got picked up by thieves, and that has caused them to reform how they managed data security and all of a sudden full disk encryption showed up on the requisition sheets of all federal agencies. And soon thereafter on Fortune 500 priority lists all over. So, not to pick on full disk encryption, very valuable, but one of those situations where a symptom became correlated with an answer. And this is very endemic. What we try to do at Forrester, is we try to look at this from a more strategic approach. So start with the simple question of how are you organized? What's your strategy going to be, about how you manage information? We ask companies to take cues from their executives. Do you value the information in your firm or not? Most companies intuitively know whether they're trying to do the bare minimum, so that they won't be embarrassed in the press. You've got some that are really paranoid about the publicity. You've got others that genuinely care about the security of their competitive information and their product plans.

So in those cases, that's where you start. You start with a strategy. You then need to think about what people aspects do you need to tackle as part of your information control programs? So how you organize? Do you devolve responsibilities to your business units and your functions? Do you keep it highly centralized? What kind of training do you need to have in place? What other kinds of structural questions do you need to answer about how you protect your information? So that's the second part. Process is about how you get things done. What are the things that you need to be good at as an organization, in order to be successful with securing information? So, for example, the nuts and bolts around forensics and investigations, that's a key competency. Classifying information is another. Providing ways of understanding, getting visibility information flowing around your network. Labeling, these are all part of what your processes ought to be. And then finally, what's the technology that falls out of that? This is really where you can start to make billed by lease partner type decisions whether you really need data leak prevention or full disk encryption or email encryption. I can go on and on and on. But once you know how you organize, what you value, what your strategy is, you know what your organizational people values are, how you're governed, how you're organized, what processes you have in place. Then you can finally get to the technology parts, and that's the order we recommend. And I'll be talking about this in more detail tomorrow morning.

Eric Parizo: Many organizations though do already have some of those components in place as part of their existing data security programs. How do you advise organizations to gauge the health of those initiatives currently?

Andrew Jaquith: What I've described to you just a second ago, about the four basic components. So there's strategy, people, process, and technology. Every one of those areas has some key qualities that we like to see in enterprises, and what we recommend that you do is self-assess if you like. You can certainly talk to us. We're happy to help assess as well. Not to be too self-serving here. But we have a model for grading you on a one to five scale, or self-grading if you like, on all the dimensions of the model. Once you get that you have a sense of where you sit. Frankly, most enterprises don't want to be great at everything. One of the things that I hear all the time when I talk to enterprise customers is, "we want to know how we're doing relative to our peers around protecting our information." That's the first thing they say. Then the second thing they say is "and we're not a bank." Unless they are a bank in which case they want to say "what's these other banks doing?" But for the most part, what that really gets to is calibrate your measurements relative to where I ought to be for the type of firm that I am. So if you're on a five scale for strategy and we're measuring you across all those dimensions, you might not need to be a five in all those categories. You might find that a three along the maturity curve is fine. So ultimately it's finding that gap between where you are today, versus where you want to be. And that's what looking at this from a maturity model standpoint says. What it means is not one size fits all. That you can adjust to the assessment based on your taste, your priorities, and the industry that you're in.

Eric Parizo: Those elements you mentioned are what Forrester calls its capabilities and maturity model, correct?

Andrew Jaquith: That's right. Yep. We've patterned it after, at least the information control portion of it which I'm referring to here, is a subset of the Forrester Information and Security Maturity model, which has 28 different domains and the information control is a subset of it. But it is exactly that. It is trying to provide a holistic way of looking at the problem and looking at it from an information-centric point of view.

Eric Parizo: Based on your experience with those themes in mind, what are the organizational and process changes companies most often need to make to be successful?

Andrew Jaquith: Really great question. I'll tell you, one of the toughest things for enterprises is to understand their own limitations. This model I call information control. But part of exercising control over your information is knowing when not to be a control freak. And this is a hard thing to get over for many enterprises. Because you have the information security department right in the title, you would think that they're in charge of securing all the firm's information. Otherwise why isn't it called infrastructure security, right? But the truth though is that information that matters to the business is usually only known by the business. The IT teams don't really know what's valuable and what isn't. They know things that are radioactive. So SSNs should not obviously be floating around in email. Huge spreadsheets with medical records should not be sitting on laptops at home, by an employee when they take it home to work. We know this, right. So IT security has a responsibility for purifying their information streams and keeping the stuff that is clearly toxic out.

But when you get to issues of strategic intent, company secrets, trade information, this isn't something that security actually knows much about because it's not their business. So the key change that enterprises need to get over is to devolve. And from the standpoint of the IT security group, it means letting go of control, letting go of that aspect of it, giving the business units the tools that allow them to enforce their own compartmentalization needs, and really that's it. And allowing the business units to manage their security and their own information, in the same way that your boss manages your objectives for whether you're promoting. The way that they manage your salary, this is all part of whether you're running a tight ship managerially or not. So that's the biggest hurdle to get over is recognizing that there are elements of information security that only the business can know and that is best of all to the business.

Eric Parizo: Again, to play devil's advocate with you for a minute, another large research firm who we won't mention, makes a similar point but does so with this specific to social networking data. But the other side of the coin is, is the security team going to be called on the carpet if sensitive product launch data, for instance, leaks out via Twitter or Facebook, what have you. How does the security team handle that and is some internal evangelism required to kind of convey the message you mentioned?

Andrew Jaquith: So it's a great question. What does security do and what's their role here? In my view, the role is to be the standards setter, the provider of tools, assist with evaluations, a center of excellence on deployment and best practices. But ultimately, and maybe operations from the standpoint of making sure that it's up, it's running, it's functioning, that it scales the way it should and all of that. But from a day to day business operations standpoint, they can't do that. I mean it's just not part of what they do. IT isn't meant to be sensors, nannies. Ultimately, you want to give the business the tools where they can get the information about what their employees are up to, but ultimately, they need to make disciplinary decisions or other decisions about whether those privileges are being abused or not.

I think to me this part of what management is as opposed to blaming somebody else for your own failings. If something leaks out over Twitter, a product launch leaks out over Twitter, it isn't IT security's fault. It's the employee's fault. And the reason that they did it is probably known between them and their manager. If they're leaking out on Twitter, there's bigger issues and their boss probably ought to have known what they were before that. To me, it's more a symptom of a management issue than a technology failing. IT security can certainly buy a tool that will block access to Twitter, but if it's needed from a business standpoint, then what else are you going to do at the end of the day, about some of these very business specific items? Leaving things like SSNs and obviously toxic stuff out, but the real trade secret stuff really hard and I think ultimately you have to treat it as a management problem.

Eric Parizo: Finally, in the context of your work with enterprises -- right now would you say is the number one trouble spot that enterprises often have when it comes to protecting their own data?

Andrew Jaquith: I'm not sure I'd call it a flashpoint so much as a point of worry. We get a lot of requests around some of these mobile devices, and what do we do. And to me that's the biggest worry right now. What do I need to do to secure them? What's coming down the pipe? Are these devices going to be secure over the longer term? Enterprises have a lot of questions, and it's because these devices are so personal. They're often purchased by employees, and because device ownership is a proxy for control, the prospect of not owning the device raises very unsettling questions about whether that also means that they're going to lose control as well. So I think this is one of the big battle lines right now. Some security teams have very legitimate fears, about data security risks on employee-owned devices, or even consumer-grade devices that are being bought by the enterprise. And those that really just sort of figure, well it's going to happen anyway, I need to be able to say yes to those employees that are going to do it. I think this is the big divide right now, and I don't think we've settled on an answer. But it's been interesting as I talk to clients about, you know you can usually put them in one bucket or the other. You clearly sense whether they're of the enabler variety, I mean enabling in sort of an AA sense, in some regards, versus those that are more kind of stickler and want it to happen. So that's what I would say the biggest flashpoint is right now.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy